One Million Dollar Breach Notification Fine for Indian Bank Shows Increased Efforts by Regulators to Force Information Sharing Following a Breach

The $1 million fine that was recently levied against Yes Bank shows the increasing risks of failing to provide timely breach notification. On October 23, 2017, the Reserve Bank of India (“RBI”) announced that it was fining India’s Yes Bank $1 million USD for failing to comply with RBI’s breach notification requirement, among other violations. Yes Bank experienced a cyber breach around May 2016, but did not become aware of the incident until September 2016. After learning of the incident, Yes Bank did not report the breach, which RBI viewed as a violation of the bank’s obligation to report within 6 hours of discovery.

This $1 million fine represents a dramatic escalation in breach notification enforcement. To date, there have been relatively few such cases, and most have resulted in resolutions with much smaller penalties. Following the criticism of Yahoo! and Equifax for their untimely breach notifications, the Yes Bank fine may be a sign that regulators are starting to aggressively enforce breach notification laws. Like Yes Bank, many U.S. institutions have very short breach notification deadlines, including those that are subject to the 72-hour notification requirements in the New York Department of Financial Services (“NYDFS”) cyber rules, and the thousands of U.S. companies that will be subject to the European Union’s General Data Protection Regulation come May 2018.

Traditionally, breach notification requirements were designed to alert people that their personal information had been stolen, so that they could take steps to prevent fraud and identity theft. But increasingly, regulators have been using these obligations to gather information on threats and alert other private companies of increased risks, so that they can take appropriate precautions. U.S. companies are certainly encouraged to share information on cyber threats. The U.S. Department of Homeland Security maintains an Automated Indicator Sharing program, which facilitates almost real-time information sharing on cyber threats. Companies can also share information with other private sector entities through various Information Sharing and Analysis Centers or ISACs. But information sharing has generally not been mandatory, and many companies have declined to do so. Some have found it difficult to share cyber threat information without also sharing sensitive company or client data. Others believe that they have devoted far more resources to cybersecurity than their competitors, and are therefore reluctant to just hand over what their view as a valuable competitive advantage.

Following the Bangladesh Bank hack, and noting that “banks are hesitant to share cyber-incidents faced by them,” RBI required the banks that it regulates to report all unusual cybersecurity events, including unsuccessful attacks, within 6 hours of discovery, to allow it to issue a timely warning to other banks. Similarly, a recent FAQ posted on the NYDFS website notes that certain significant and unusual cyber attacks should be reported, even if unsuccessful, “to facilitate information sharing about serious events that threaten an institution’s integrity and that may be relevant to the Department’s overall supervision of the financial services industries.” So, it seems that if companies do not see the value of sharing threat information following a breach to the industry as a whole, regulators are becoming inclined to force hub-and-spoke threat sharing through existing breach notification regimes.

We will keep a close eye on this significant development, which will make it even more important that companies are able to ascertain all of their various state and federal notification obligations quickly following a breach. The Davis Polk Cyber Breach Portal, which will launch early next year, has many resources to help with notification rules, including a simple, query-based tool that assists clients in quickly assessing their cyber breach notification obligations in 48 states and under HIPAA and Gramm-Leach Bliley. The Portal is current being beta tested by a select group of clients.

The listed lawyers gratefully acknowledge the assistance of law clerk Zachary Shapiro in preparing this post.

Topics

Archives

Subscribe by Email

RELATED PROFESSIONALS

Mr. Gesser is a partner in Davis Polk’s Litigation Department. He represents clients in a wide range of cybersecurity issues, including compliance with various cybersecurity regulations, cybersecurity governance issues, cloud migration, data minimization, and cybersecurity risk disclosures. Mr. Gesser also counsels companies who have experienced cyber events by coordinating with experts to conduct investigations; communicating with regulators, law enforcement, insurers and auditors; assessing various federal, state and international regulatory disclosure obligations; and representing the companies in related civil litigation and regulatory investigations. He previously served as the Counsel to the Chief of the Justice Department, Criminal Division’s Fraud Section and as the Deputy Director of the Justice Department, Criminal Division’s Deepwater Horizon Task Force. In addition to his full-time practice, Mr. Gesser is a frequent writer and commentator on cybersecurity issues.

Mr. Leibowitz is a partner in Davis Polk’s Washington DC and New York offices. His practice focuses on the complex antitrust aspects of mergers and acquisitions as well as government and private antitrust investigations and litigation. He also provides counsel in the developing areas of consumer protection and privacy law as well as advocacy involving Congress.

Mr. MacBride is co-chair of the firm’s White Collar Criminal Defense and Government Investigations Group. His practice focuses on government enforcement actions, internal investigations, congressional investigations, and complex civil litigation. His matters have included advising clients in connection with foreign corrupt practices, economic sanctions, cybersecurity risks, False Claims Act violations, market manipulation, insider trading, and securities, health care, procurement and tax fraud. His wide-ranging investigations and trial experience span more than two decades and across all three branches of the government, most recently as the U.S. Attorney for the Eastern District of Virginia.

Mr. Perez-Marques is a partner in Davis Polk’s Litigation Department. His practice spans complex commercial litigation, including securities and M&A-related litigation, as well as securities enforcement and white collar matters. He also has extensive experience advising Spanish, Latin American and other foreign clients concerning U.S. litigation matters, and domestic clients concerning overseas and cross-border disputes.

Ms. Seshens is a partner in Davis Polk’s Litigation Department. Her practice focuses on complex commercial litigation, securities class actions, and bankruptcy litigation. She has extensive experience representing corporate clients and professional firms with respect to a wide range of civil litigation and advisory matters.

Ms. Gross is counsel in Davis Polk’s Intellectual Property and Technology Department in the Northern California office. Her practice includes a wide range of intellectual property-related matters, including strategic alliances, joint ventures and licensing, as well as intellectual property strategy and commercialization, copyright, patent and trademark matters. She also advises clients on data privacy and security matters, including cybersecurity, technology and data initiatives, development of privacy and data security policies and product development.

Disclaimer

cyberbreachcenter.com is a collection of informational products provided by Davis Polk & Wardwell LLP. In its capacity as provider of cyberbreachcenter.com and its component parts, Davis Polk is acting as an information provider.

cyberbreachcenter.com and its component parts do not constitute, and are not intended to constitute, legal advice with respect to any particular circumstance, do not create an attorney-client relationship with Davis Polk & Wardwell LLP or any of its associated entities and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances.

About Davis Polk

Davis Polk ranks among the world’s preeminent law firms. Known for our skillful work, the excellence and breadth of our practice has kept us at the forefront of matters that are shaping global business. Read More